Autopentest AI
Agentic Pentesting MCP server that discovers, exploits, and reports web application vulnerabilities.
What is Autopentest AI?
Autopentest AI is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to agentic pentesting mcp server that discovers, exploits, and reports web application vulnerabilities.
Agentic Pentesting MCP server that discovers, exploits, and reports web application vulnerabilities.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Agentic Pentesting MCP server that discovers, exploits, and
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx autopentest-aiConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Autopentest AI
Autopentest AI is an agentic penetration testing MCP server that systematically discovers, exploits, and reports web application vulnerabilities following the OWASP Web Security Testing Guide (WSTG). It orchestrates specialised subagents — Scout, Analyzer, Exploiter, and Reporter — across 7 structured phases, exposing over 68 MCP tools that wrap industry-standard security tools including katana, ffuf, sqlmap, dalfox, nuclei, nmap, hydra, and testssl.sh. The server enforces an anti-hallucination framework where every finding must be backed by a real exploit, making it suitable for professional web application security assessments on authorised targets.
Prerequisites
- Docker installed and running (the tool container runs all security tools in isolation)
- Python 3.10 or later and uv package manager for the MCP server
- Make (build tool) available on your system
- An MCP-compatible client such as Claude Desktop
- Written authorisation to test the target web application — running against systems you do not own is illegal
Clone the repository
Clone the autopentest-ai repository to your local machine — the MCP server and Docker tool container are both managed from here.
git clone https://github.com/bhavsec/autopentest-ai.git
cd autopentest-aiInstall the MCP server Python dependencies
Use uv to sync the server dependencies in isolation. The server/ directory contains the MCP entrypoint (server.py).
cd server && uv sync && cd ..Build the Docker image and install security tools
Run make setup to build the Docker image containing all 10+ security tools (katana, ffuf, sqlmap, nuclei, nmap, etc.) used during the pentest.
make setupVerify all tools are installed
Run make verify-tools to confirm every required tool is present and executable inside the Docker container before starting a test.
make verify-toolsCreate a target configuration file
Copy the example YAML config and fill in your authorised target details including URL, scope, and any authentication credentials needed.
# configs/my-target.yaml
target:
url: https://authorised-target.example.com
scope:
- authorised-target.example.com
exclude:
- logout
Authentication:
login_type: form
credentials:
username: testuser
password: testpass
reporting:
tester_name: Your NameConfigure your MCP client
Add both the autopentest-ai MCP server and the Playwright MCP server (used for browser-based discovery) to your .mcp.json config.
{
"mcpServers": {
"wstg-pentest": {
"command": "uv",
"args": ["--directory", "./server", "run", "server.py"]
},
"playwright": {
"command": "npx",
"args": ["-y", "@playwright/mcp"]
}
}
}Autopentest AI Examples
Client configuration
.mcp.json configuration for Autopentest AI with the required companion Playwright MCP server for browser-based testing.
{
"mcpServers": {
"wstg-pentest": {
"command": "uv",
"args": ["--directory", "/path/to/autopentest-ai/server", "run", "server.py"]
},
"playwright": {
"command": "npx",
"args": ["-y", "@playwright/mcp"]
}
}
}Prompts to try
Example prompts that drive the full WSTG assessment workflow, targeted tests, and resuming interrupted engagements.
- "Run a full WSTG assessment against https://authorised-target.example.com using credentials admin / P@ssw0rd123"
- "Load the config from configs/my-target.yaml and run the pentest"
- "Run WSTG-INPV-05 SQL Injection test against https://app.example.com/search?q="
- "Test https://app.example.com for CORS misconfiguration (WSTG-CONF-13)"
- "Resume engagement pentest-2026-02-11-myapp from where it stopped"Troubleshooting Autopentest AI
make setup fails with Docker build errors
Ensure Docker Desktop is running and your user has permission to build images (docker info should work without sudo). On Linux, add your user to the docker group: sudo usermod -aG docker $USER, then log out and back in.
uv sync fails with Python version errors
The server requires Python 3.10. Check your version with python3 --version. If you have multiple Python versions, specify: uv venv --python 3.10 inside the server/ directory before running uv sync.
No findings are reported despite running scans
The anti-hallucination framework requires a confirmed exploit for every finding. Review the task tree for the current phase — the agent may be in a discovery or analysis phase that has not yet produced exploitable results. Allow the full 7-phase workflow to complete.
Frequently Asked Questions about Autopentest AI
What is Autopentest AI?
Autopentest AI is a Model Context Protocol (MCP) server that agentic pentesting mcp server that discovers, exploits, and reports web application vulnerabilities. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Autopentest AI?
Follow the installation instructions on the Autopentest AI GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Autopentest AI?
Autopentest AI works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Autopentest AI free to use?
Yes, Autopentest AI is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.
Autopentest AI Alternatives — Similar Security Servers
Looking for alternatives to Autopentest AI? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Autopentest AI in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Autopentest AI?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.